0

I am trying to INSERT some data into a database. I can do this on one FIELD just not on multiple. It seems to be a simple syntax issue. The error I get is:

Parse error: syntax error, unexpected ',', expecting ']'

The error is on the INSERT line:

<?php
$con = mysql_connect("local","username","password");
if (!$con)
{die('Could not connect: ' . mysql_error());}

mysql_select_db("npsreviews", $con);

$sql="INSERT INTO burkett (DATE, STORE, 5STAR, 4STAR, 3STAR, 2STAR, 1STAR, TOTAL, NPS) VALUES ('$_POST[DATE]', '$_POST[STORE]', '$_POST[5STAR]', '$_POST[4STAR]', '$_POST[3STAR]', '$_POST[2STAR]', '$_POST[1STAR]', '$_POST[TOTAL]', '$_POST[NPS]')";

if (!mysql_query($sql,$con)){die('Error: ' . mysql_error());}

mysql_close($con)
?>

Thanks in advance, I cannot find the answer when looking for Multiple $POST.

user229044
  • 232,980
  • 40
  • 330
  • 338
ToddN
  • 2,901
  • 14
  • 56
  • 96
  • What is a "multiple $_POST"? Can you explain more? Are you talking about `$_POST` values that are arrays? Also, please read about [SQL injection](http://en.wikipedia.org/wiki/SQL_injection), a vulnerability that your code suffers from. – Charles Feb 13 '12 at 23:33
  • Shouldn't it be `'$_POST["3STAR"]'`, etc? – amindfv Feb 13 '12 at 23:34
  • 2
    Your are opening yourself to *hilariously* awful SQL injection. Throw this entire block of code out, it is *absolutely unsalvageable*, and start over using [PDO](http://php.net/manual/en/book.pdo.php). Whatever tutorial you've used to produce this code is terribly out of date. – user229044 Feb 13 '12 at 23:35
  • @Charles I am VERY new to php and sql sorry for the confusion. I meant simply I need to POST all that data, so I assumed I say multiple times. – ToddN Feb 13 '12 at 23:36
  • @meager http://www.php.net/manual/en/function.mysql-connect.php for part of it – ToddN Feb 13 '12 at 23:40
  • @ToddN It is possible to produce safe (if dated) code with the `mysql_` family of functions, but you shouldn't. Use PDO. If you're learning something new either way, you might as well learn the *modern* equivalent. – user229044 Feb 13 '12 at 23:47

3 Answers3

3

First of all, you're missing quotes around the array indices; It should be $_POST["STORE"], not $_POST[STORE]. Secondly, you can't index arrays this way with string interpolation. You'll need to use {$...} syntax:

$x = array("key" => "value");

echo "The value of 'key' is '{$x["key"]}'";

Or concatenate the pieces of the string:

echo "The value of 'key' is '" . $x["key"] . "'";

Either method will produce:

The value of 'key' is 'value'

Note: I've answered your question as a simple syntax error, but this does not solve your real problem, which is rampant SQL injection vulnerability.

user229044
  • 232,980
  • 40
  • 330
  • 338
  • Ok ill look into that as well, this is to be used as an internal database. – ToddN Feb 13 '12 at 23:48
  • The simplest, not the best, solution to the injection problem would be to use the second format (concatenate) and `mysql_real_escape_string()` functions. Thus `echo "the value of 'key' is '" . mysql_real_escape_string($x["key"]) . "'";` – Kennith Nichol Feb 14 '12 at 00:17
1

SQL query should look like this

$sql="INSERT INTO burkett (DATE, STORE, 5STAR, 4STAR, 3STAR, 2STAR, 1STAR, TOTAL, NPS) VALUES ('{$_POST["DATE"]}', 
'{$_POST["STORE"]}', '{$_POST["5STAR"]}', '{$_POST["4STAR"]}', '{$_POST["3STAR"]}', '{$_POST["2STAR"]}', 
'{$_POST["1STAR"]}', '{$_POST["TOTAL"]}', '{$_POST["NPS"]}')";

But in all your SQL query is prone to SQL Injection so I would recommend to clean your POST before doing something with it

read more about SQL injections here

You can clean your $_POST using this

$_POST = array_map('mysql_real_escape_string',$_POST);

Or use PDO and use prepared statements to accomplish sql INSERTS, UPDATES etc

Community
  • 1
  • 1
Jaspreet Chahal
  • 2,759
  • 1
  • 15
  • 17
0

escape it as so:

$sql= "INSERT INTO burkett (DATE, STORE, 5STAR, 4STAR, 3STAR, 2STAR, 1STAR, TOTAL, NPS) VALUES ('" . $_POST['DATE'] . "', '" . $_POST['STORE'] . "', '" . $_POST['5STAR'] . "', '" . $_POST['4STAR'] . "', '" . $_POST['3STAR'] . "', '" . $_POST['2STAR'] . "', '" . $_POST['1STAR'] . "', '" . $_POST['TOTAL'] . "', '" . $_POST['NPS'] . "')";
john smith
  • 733
  • 3
  • 8
  • 18